UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server for Windows must restrict access to cryptographic role.


Overview

Finding ID Version Rule ID IA Controls Severity
V-94829 VCWN-65-000063 SV-104659r1_rule Medium
Description
vSphere 6.5 modifies the built-in "Administrator" role to add permission to perform cryptographic operations such as KMS operations and encrypting and decrypting virtual machine disks. This role must be reserved for cryptographic administrators where VM encryption and/or vSAN encryption is in use. A new built-in role called "No Cryptography Administrator" has been added to provide all administrative permissions except cryptographic operations. Permissions must be restricted such that normal vSphere administrators are assigned the "No Cryptography Administrator" role or more restrictive. The "Administrator" role must be tightly controlled and must not be applied to administrators who will not be doing cryptographic work. Catastrophic data loss can result from a poorly administered cryptography.
STIG Date
VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide 2020-03-27

Details

Check Text ( C-94025r1_chk )
From the vSphere Web Client go to Administration >> Access Control >> Roles

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-VIPermission | Where {$_.Role -eq "Admin"} | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto

If there are any users other than Solution Users with the "Administrator" role that are not explicitly designated for cryptographic operations, this is a finding. 
Fix Text (F-100953r1_fix)
From the vSphere Web Client go to Administration >> Access Control >> Roles

Move any accounts not explicitly designated for cryptographic operations, other than Solution Users, to other roles such as "No Cryptography Administrator".